Human Metrics – Measuring Behavior

The human element is one of the weakest links, as a result your employees are now the primary attack vector.  From phishing and infected USB drives to lost mobile devices and weak passwords, people represent the greatest risk to most organizations.  Many organizations are now rolling out security awareness programs with the intent of changing […]

Read more

Security Awareness Has Failed: A Suggested New Approach!

For over 30 years, the security community mantra has been to deliver annual or regular security awareness education sessions to staff. And for over 30 years, the “big stick” approach has failed to produce any appreciable results. For the most part security awareness training has become ” a corporate check box” and is used to […]

Read more

Re-Thinking Security Operations

Do your security solutions deliver effective coverage against the challenging new threat environment?  The threat environment has grown to be a too large a problem with protection infrastructures too narrow a solution to cover every possible attack in every circumstance.  Progressive (and costly) concepts like situation awareness, globally integrated intelligence and access to advanced tools […]

Read more

Scaling Security in Agile Scrum

Agile Scrum is here to stay, and security teams aren’t adapting quickly enough. “Best-practice” Agile SDL models aren’t very helpful because they assume a simplified, idealized model of how software is built. In the real world, software development often involves multiple Scrum teams working on various components of a larger product. As a result, application […]

Read more

Quantitative Risk Analysis and Information Security: An OpenFair Case Study from BMO

Risk analysis – nobody wants to do it, but everybody wants the answer when it’s done. Business today is full of qualitative methods for assessing risk, but these tend to fall short of giving Information Security professionals the tools to express risk in a meaningful way. FAIR (Factor Analysis of Information Risk) was recently adopted […]

Read more

FAIL Panel Again! Third time’s the charm

The ugly bastard child of the ugly bastard child of FAIL Panel, in its 3rd year running, a discussion on the cybers and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things, contradict each other (and ourselves), have no clue what Jamie is asking us and generally […]

Read more

Microsoft Security Intelligence Report, Canadian Edition

Threats have changed in dramatic and unexpected ways around the world over the past year as attackers continue to hone and evolve their strategies and tactics, and Internet-connected devices proliferate. Using the latest data from hundreds of millions of systems around the world and some of the Internet’s busiest online services, this session will provide […]

Read more

FUFW: 5 Steps to Re-architecting Your Perimeter

The hype train around next-generation firewalls (NGFW) continues to race forward, but replacing one device with a new shiny object isn’t going to ultimately solve the security problem. Securosis analyst Mike Rothman will put NGFW into proper context regarding the evolution of network security and give you 5 steps to move your perimeter protection forward.

Read more

SDN : Radically New Network Architecture, Same Old Cyber Security Protection

As Virtual Machines (VM’s) were the disruptive technology at the end of last century for server and storage platforms, Software Defined Networks (SDN) will be (already is) the first industry-changing, disruptive technology for switch and router platforms in this young century. SDN has already gained grass roots momentum as early adopters Google, Goldman Sachs and […]

Read more

Return of the Half Schwartz FAIL Panel w/Tales from beyond the echo chamber

The ugly bastard child of FAIL Panel, in its 2nd year running, a discussion on Malware letters received to our mailbag and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things and generally entertain you. Vendor and FUD free since last we last remembered to wear underwear.

Read more

Data in the Cloud. Who owns it and how can you get it back?

With the rush to take advantage of all “the Cloud” has to offer, many companies are struggling with the new reality that their data is being sent outside the confines of the corporate environment and being stored in multiple geographic locations. With the Cloud comes the challenge of securing your data, understanding where it is […]

Read more

Reacting to Cyber Crime: Preserving Crucial Evidence for Law Enforcement

Evidence handling is of primary importance for the RCMP Tech Crime Unit Members when called upon to investigate a possible cybercrime. When such an incident occurs, it is important that the IT personnel in place is in a position to clearly identify the potential digital-related evidence and to properly preserve it upon the arrival of […]

Read more

Building a Security Operations Center – Lessons Learned

This presentation will go through the various steps required to craft a Security Operations Center; including hiring and managing an array of human resources, monitoring, reporting, and mitigating technology, and covering the definition of repeatable, scalable processes, such as the OODA loop. The presentation will address the fundamental concepts related to training, structuring, and running […]

Read more

Controlling BYOD before it Becomes Your Own Demise

Mobile security is the hottest topic for senior security professionals as organizations struggle with how to support smartphones and other consumer-grade devices connecting to the network. This session will present a process to evaluate the risk of these devices, define appropriate policies, and control the use of these devices. We’ll also discuss (at a high […]

Read more

How I Learned to Stop Worrying and Love the Cloud

An overview of the risks and mitigations encountered in planning the outsourcing of the United States Mint’s $700 Million a year numismatic ecommerce site. The presentation focuses on how to assess your cloud vendor and specific information and access to request to make sure your data is secure. Many of the mitigations discussed in the […]

Read more

*PT, Chinese cyber-something, the summer of breach and doing it wrong

The ugly bastard child of FAIL Panel, a discussion on Malware letters received to our mailbag and other general observations on infosec. We’ll disagree, agree, talk over each other, ramble until cut-off, throw things and generally entertain you (we may bring chocolates and super secure LiquidMatrix USB keys – as seen as DEFCON). Vendor and […]

Read more

The Defense RESTs: Automation and APIs for Better Security

Want to get better at security? Improve your ops and improve your dev. Most of the security tools you need aren’t from security vendors, they don’t even need to be commercial. You need tools like chef & puppet, jenkins, logstash + elasticsearch & splunk or even hadoop to name but a few. The key is […]

Read more

Forecast of Data Loss in Canada

How many breaches occurred in Canada last year? And how many might there be by 2015? How much personal confidential Canadian data will be lost next year? Join this session to learn which types of firms are losing data and how. He won’t name names, but Dave will quickly walk you through a cool model […]

Read more

Cybercrime in Canada: a Law Enforcement Perspective

This session will highlight the link and differences between security efforts and criminal interdiction. Cybercrime continues to be a significant concern to industry and the public in Canada. This session will highlight some of the important activities now underway to address this criminal threat. Attendees will become aware of crime trends and priority threats. Industry […]

Read more

Everything You Need to Know about Cloud Security (and then some)

Everyone is fired up about the cloud. Per usual, that means most businesses are rushing headlong into the abyss with nary a concern of security or risk management. Yeah, we all know how this ends. And most practitioners don’t even know what they don’t know at this point. Mike will provide the unvarnished truth about […]

Read more

Change Happens: CISO Survival Through Adaptation

The Chief Information Security Officer role is transitioning through unprecedented change in information technology, in both scope and pace. CISOs must learn to adapt in kind and support the four ‘personas’ of the CIO, where the I stands for Infrastructure, Integration, Intelligence and Innovation. This panel will address the trends and adaptation strategies necessary to […]

Read more

Built What? Why The Bad Guys Do It Better

For well over a decade cyber-crime has steadily risen at incredible rates across the world. How is this possible with so many law enforcement and security vendors out there trying to solve the problem? Over the past eleven years viruses and trojans have evolved into a never ending deluge of crimeware campaigns. How is this […]

Read more

Binary Risk Analysis

Security risk analysis techniques are either too complex to be understood by the business or too simple to provide repeatable and meaningful results. Without a proper understanding of the risk associated with security events, businesses are likely to misunderstand the risk that security professionals are working to control. This talk will announce a new, peer […]

Read more

It’s Not About the “Warm Fuzzy” – How to Plan for a Comprehensive Penetration Exercise

It’s time for your annual, mandated penetration test. It may not be accurate, but who cares? You passed! Your boss has a “warm fuzzy”! But where is the business value in testing the perimeter if the perimeter is not the target? It’s time we stopped kidding ourselves and started looking at testing that actually does […]

Read more

The Search for Intelligent Life

For years businesses have been mining and culling data warehouses to measure every layer of their business right down to the clickstream information of their web sites. These business intelligence tools have helped organizations identify points of poor product performance, highlighting areas of current and potential future demand, key performance indicators, etc. In the information […]

Read more

Security When Nanoseconds Count

There’s a brave new frontier for IT Security – a place where “best practices” does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed […]

Read more

How do we prevent, detect, respond and recover from CRM failures?

In this session Kelly compares customer relations breaches with security breaches, specifically their impacts on organizations. Kelly will then compare Security incident response/handling phases to Customer Relations Breaches (detection, response and recovery), and using examples from personal experience discuss how each of these phases plays a role in effective and successful CRM. He concludes the […]

Read more

400 Apps in 40 Days

You are an information security practitioner who finds them self responsible for the security of their organization’s data. From an application perspective you are most likely looking at hundreds, if not thousands, of internet-facing domains. How do you prioritize one over another? How do you do this on-time and on-budget? This presentation aims to provide […]

Read more

Mastering Trust: Hacking People, Networks, Software, and Ideas.

Why can’t we make the right decision all the time? Our sense of trust is broken. Lies, deceit, fraud, and insinuations make up a large part of crime for a reason. We are bad at trust. It’s in our biology. It’s why we sometimes make the wrong friends, date the wrong people, buy the wrong […]

Read more

How Many Vulnerabilities? And Other Wrong Questions

At every security conference there’s always a group of people asking which is more secure, Windows or Mac, Apache or IIS, IE, Chrome or Firefox. Viewing security solely as a question of vulnerabilities is liking judging a bread solely on how many slashes the baker put on top of it. It just doesn’t matter. It’s […]

Read more

Smashing the stats for fun and profit v.2010

“Smashing the stats for fun and profit v.2010” (or how to convince your boss to spend properly on security) We all know that security vulnerabilities need to be fixed but it can be hard to convince your employer that you deserve a budget so you can do your job properly. Using research from the 2010 […]

Read more

Gates, Guards, and Gadgets: An Introduction to the Physical Security of IT

We’re all familiar with using a defense-in-depth strategy when planning information security, but none of that matters if I can take your datacenter and load it into my truck! Join Kai Axford, a Certified Protection Professional (CPP), as he looks at the various aspects of physical security, such as barrier planning, IP surveillance, lock selection […]

Read more

SDL Light: A practical Secure Development Lifecycle for the rest of us

Security companies are beginning to attack the problem of software vulnerabilities at the source, the development process. Secure coding programs like Microsoft SDL, OWASP SAMM, and BSIMM save the organization money and time by taking the bugs out at the beginning, and avoid costly incident response nightmares. Chris Wysopal, CTO at Veracode, says “Many of […]

Read more
Subscribe to the Sector Blog
Enter your contact information below to have future blog posts delivered directly to your inbox!